The present invention relates in general to Uniform Resource Locator (URL) addressed resources, and more specifically to controlling access of a client system to access protected remote resources supporting relative URLs.
In a typical web application communication scenario, especially a portal application scenario, a user of a client system authenticates himself against the Portal application and receives a portal page with a portlet that contains links to access protected remote resources behind a firewall which are not accessible for the client directly. Therefore a resource proxy has to ensure that all incoming client requests as well as incoming responses from the access protected remote resources are respectively rerouted to their destination.
To achieve this it is a common technique of the rewriter proxy application to detect such links to access protected remote resources in the incoming content provided by the remote application and to rewrite these links in a way that the rewritten URLs point to the rewriter proxy and contain the original remote location as some kind of parameter. The rewritten URLs are then part of the generated content and replace the original URLs. The user of the client system which displays the content which includes these rewritten links sends a request to the rewriter proxy asking to handle the link traversal. In order to serve the request the rewriter proxy gets the original location of the access protected remote resource from the rewritten URL and retrieves the resource content to which the link refers.
The described and commonly used technique of rewriting resource URLs which are handled by a rewriter proxy opens a potential security hole which allows users to access remote applications which are protected by security setups that prohibit the access to the users but grant access to the remote application for the proxy application only. The security hole arises from the fact that most rewriter proxies generate resource URLs in a manner that does not guarantee that a user is not able to create URLs that reference known protected resources and which appear valid and thus are served by the proxy application. Often the location of the access protected remote resource is simply encoded in the generated resource URL in plain text. An attacker knowing the location of an access protected remote resource of interest can inspect the content for a valid rewritten resource URL and can change the value of the resource location parameter to the location of the protected resource he wants to retrieve. The modified resource URL can then be used to send a request to the rewriter proxy to retrieve the access protected remote resource. Thus, the attacker can use the rewriter proxy to tunnel through the firewall.
Another problem of the described commonly used technique is the reliability of the link detection. References to other remote resources are represented by URLs that define the address where the resource is located. This address can be defined absolute or relative to the URL of the base document where the resource is referenced. Absolute URLs can be quite easily detected and rewritten by searching the content of a resource for URL expressions starting with a valid protocol followed by a proper host name (e.g., http://somehost.com/somepath). For relative URLs, this is more difficult and usually solved by using detection rules for particular content dependant constructs such as references in link or image tags in HTML. This kind of detection process for relative URLs is costly and the quality of its result depends on a complete set of detection rules, as it is not able to detect references that do not match to one of the defined detection rules.